- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I calculate the number of errors for t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I calculate the number of errors for the last hour for a period of time and get the min/max in that time span?
Hi All,
I'm trying to do a simple search on a log based on relative time, i.e. I need to calculate number of errors for last hour for a period of time and get the min/max in that time span.
eg: If I login now at 1:15 AM I should see the results from 00:00 to 1:00 A.M and I need that values for a period of time where I can find the min/max for that period.
So for that the below query which I'm trying is not working.
index=xyz|eval Time1=strftime(relative_time(now(),"-1h")|table Time1|dedup time1|Join Time1[search index =xyz|eval testDate=strftime(_time,"%Y-%m-%d")|eval Time1=strftime(_time,"%H")|stats count(eval(Logstate="Reject") as RejectCount by TestDate Time1]
But the below query doesnt fetch the desired result. So, could anyone help with the above query?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For writing a better search you should filter required results as early in your search as possible. In your case since you are interested only for Rejected events you should include Logstate="Reject" in your base search and just print the count.
index=xyz earliest=-1h@h latest=@h Logstate="Reject"
| stats count as RejectCount min(_time) as EarliestEventTime max(_time) as LatestEventTime
| addinfo
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")
| fieldformat EarliestEventTime=strftime(EarliestEventTime ,"%c")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%c")
| fields - info_search_time info_sid
PS: All the time fields are added for you to see your search's earliest and latest time (i.e. info_min_time and info_max_time) and also your earliest and latest events (EarliestEventTime,LatestEventTime). You can remove these fields if you don't require or have tested the results as per your need.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not sure of the join logic..
but, when you run the 2nd part alone, will it give results?
index=xyz|eval testDate=strftime(_time,"%Y-%m-%d")|eval Time1=strftime(_time,"%H")|stats count(eval(Logstate="Reject") as RejectCount by TestDate Time1| table RejectCount TestDate Time1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you intend to create some statistics about the events from the last full hour, e.g. at 09:36, you want all events wich occurred between 08:00 and 08:59.59.999 so, earliest=-1h@h latest=@h will give you just this events. There you may just append your stats function. I don't know if you can have an eval in a count, I had to take the eval out of the count function on some occasions.
If you need the count per full hour for some time, e.g the last day, then my best guess would be to use span.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=xyz earliest=-1h@h latest=@h ...
see Time Modifiers
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
